Saturday, 13 May 2017

NHS hack: a single point of failure

The NHS hack is actually symptomatic of everything that is wrong with the NHS. When you have a uniform system proscribed by the central authority it only ever moves as the speed of the slowest boat in the convoy. It also means that there are single points of failure for the entire system so when it does fail, it fails hard.

The second consideration the same complaint I have with the EU. Harmonisation of standards and procedures is desirable where necessary but too often this is done for its own sake. The system was developed on the assumption that we would have a highly mobile population that would necessarily require a high degree of data connectivity. This hasn't happened. People still tend to opt for local treatments.

Furthermore, universal systems tend to be bloody awful because they try to do everything all at once. You can design a perfectly viable prototype but at every exposure to reality, where there are hundreds of security consideration, you find that the system slows down to the point of uselessness. Anyone who has ever attempted to claim JSA can attest to that.

Ideally you need to map your typical data flows by region and let them sort out their own systems, thereby passing the liability and the responsibility to the local level. The smaller the system, the less the likelihood of cost overruns and systemic failures. The way to connect them up is through central processing servers handling standardised record formats. It may be a little slower, but it's tried and true technology. It's what ATMs have been using for decades.

As ever with government IT, the bigger it is, the harder it fails. In private health systems you tend to find that systems are developed independently according to the specialism, though observing common standards. This allows for seamless transfer of data - and very often there is no time or cost penalty.

In effect the best way to secure a system is not to have a system at all. That way the vulnerabilities are limited. It is ultimately the hubris of government that believes that we can have universal all singing, all dancing systems which can stay ahead of the many threats. That is never going to be the case.

One could argue that this is an argument for more privatisation. Be your own judge. There is, however, certainly a case for devolved IT procurement and hyper localisation of health administration. The added benefit to this is that local authorities are free to try out new cost saving ideas and methods and you get cross pollination of good ideas. That means some systems that work will remain positively antique while other are cutting edge.

In a lot of ways the age of a system is irrelevant. Parts of HBOS are sill running on 1990's computing simply because they are well isolated. If, however, you move to a model of centrally mandated platforms then any vulnerability you introduce is systemic.

In this the NHS is far from unique. The command and control mentality is prevalent throughout all corporate scale bureaucracies. There is an inherent desire to micromanage - ultimately leading to structures where unforeseen functions are not catered for which spawns volumes of unofficial solutions which detract from the overall system integrity.

What you then find is that you have the system that the management thinks is in place and then the one that makes it all work, as devised by local operators. This is why centrally mandated efforts to streamline IT very often make it worse. The central body often assumes perfect knowledge of how things work on the ground level and can often see no reason why there would need to be local differentiations.

It's true that some operations are needlessly divergent and inefficient but very often its better to tolerate those inefficiencies if a system works. There is nothing more expensive and inefficient than government programmes to improve efficiency.